SAMATE Logo NIST Logo The SAMATE Project Department of Homeland Security
Downloads:  Download this Test Case #153626

Back to the previous page... Back to the previous page

Test Case IDCandidate153626
Bad / Good / MixedBadBad test case
AuthorIARPA STONESOUP Test and Evaluation team
Associations
Test suite: 102  
Application: 4  
Added byCharles Oliveira
LanguageC
Type of test caseSource Code
Input string
Expected Output
Instructions
See src/INSTALL file for instructions on how to install.
Submission date2015-10-06
DescriptionThis test case implements an sprintf that uses untrusted user input without a format string. The test case takes untrusted user input and passes it to an sprintf that does not implement a format string. This allows the user to pass format strings to the test case causing it to leak sensitive data and possibly allowing an attacker to cause a buffer overflow and inject shell code.
Metadata
- Base program: OpenSSL
- Source Taint: ENVIRONMENT_VARIABLE
- Data Type: STRUCT
- Data Flow: BUFFER_ADDRESS_POINTER
- Control Flow: SEQUENCE
File(s)
Flaw

There are no comments
Have any comments on this test case? Please, .

File Contains:
CWE-134: Uncontrolled Format String on line(s): 321, 322, 323, 324, 325